Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 5, 2025, 11:01 a.m.	Feb. 5, 2025, 11:03 a.m.

Size	112.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`043fe9d1a841d94435f8882125769b0c`
SHA256	`d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b`
CRC32	`CD5FF3AE`
ssdeep	`3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeheWgin8q:faZ1tme+1winj`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format

cHSzTDjVl.exe "C:\Users\test22\AppData\Local\Temp\cHSzTDjVl.exe"
2568

Name	Response	Post-Analysis Lookup
karahook.000webhostapp.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2026657	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)	Not Suspicious Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2026657	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)	Not Suspicious Traffic
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2026657	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)	Not Suspicious Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2026657	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)	Not Suspicious Traffic
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2026657	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)	Not Suspicious Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2026657	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)	Not Suspicious Traffic
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2026657	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)	Not Suspicious Traffic
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2026657	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)	Not Suspicious Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2026657	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)	Not Suspicious Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2026657	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)	Not Suspicious Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2026657	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)	Not Suspicious Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Feb. 5, 2025, 11:01 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Feb. 5, 2025, 11:01 a.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 5, 2025, 11:01 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

Generates some ICMP traffic

File has been identified by 64 AntiVirus engines on VirusTotal as malicious (50 out of 64 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Lmir.laiL
tehtris	Generic.Malware
MicroWorld-eScan	Trojan.PWS.Delf.INS
CAT-QuickHeal	Trojan.GandcrabIH.S17569987
Skyhigh	Trojan-FSEP!043FE9D1A841
ALYac	Trojan.PWS.Delf.INS
Cylance	Unsafe
VIPRE	Trojan.PWS.Delf.INS
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.PWS.Delf.INS
K7GW	Password-Stealer ( 0052f96e1 )
K7AntiVirus	Password-Stealer ( 0052f96e1 )
Arcabit	Trojan.PWS.Delf.INS
VirIT	Trojan.Win32.Stealer.BKXJ
Symantec	Infostealer.Rultazo
Elastic	Windows.Trojan.Azorult
ESET-NOD32	Win32/PSW.Delf.OSF
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	Trojan-PSW.Win32.Delf.aidq
Alibaba	TrojanPSW:Win32/Stimilina.7a480ac4
NANO-Antivirus	Trojan.Win32.Stealer.fitdqk
SUPERAntiSpyware	Trojan.Agent/Gen-Downloader
Rising	Stealer.AZORult!1.B7AE (CLASSIC)
Emsisoft	Trojan-PSW.Delf (A)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
DrWeb	Trojan.PWS.Stealer.24814
Zillya	Trojan.Azorult.Win32.4
TrendMicro	TrojanSpy.Win32.COINSTEAL.SMPIS
McAfeeD	Real Protect-LS!043FE9D1A841
Trapmine	malicious.high.ml.score
CTX	exe.trojan.delf
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.043fe9d1a841d944
Jiangmin	Trojan.PSW.Azorult.pr
Webroot	W32.Adware.Gen
Google	Detected
Avira	TR/Crypt.XPACK.Gen
Antiy-AVL	Trojan[Ransom]/Win32.Blocker
Kingsoft	malware.kb.a.1000
Gridinsoft	Spy.Win32.AzorUlt.tr
Microsoft	Trojan:Win32/Stimilina
GData	Win32.Trojan-Stealer.KBot.B
Varist	W32/Delf_Troj.D.gen!Eldorado
AhnLab-V3	Trojan/Win32.Delf.R260844
McAfee	Trojan-FSEP!043FE9D1A841
TACHYON	Trojan-PWS/W32.Azorult.114688

cHSzTDjVl.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All